Is chocomintx/xiaohongshutools safe?

https://github.com/openclaw/skills/tree/main/skills/chocomintx/xiaohongshutools

76
CAUTION

This skill is a reverse-engineered XiaoHongShu (Little Red Book) API client that bypasses the platform's anti-bot protections to enable automated scraping and social manipulation (following, liking, commenting, view inflation). No malicious code, data exfiltration, or prompt injection was detected — the skill does what it claims. However, its ToS-violating nature, sensitive credential handling, and social manipulation capabilities pose significant ethical and legal risks to users.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (9)

HIGH ToS-violating automation toolkit with social manipulation capabilities -60

This skill is a complete reverse-engineered API client for XiaoHongShu that bypasses all anti-bot protections. It includes functions for automated following, liking, commenting, and view count inflation (add_note_readnum). When injected into an LLM agent's context, the agent could autonomously perform mass social manipulation without the user fully understanding the implications.

HIGH Substantial reverse-engineered cryptographic codebase -25

The skill contains ~28 Python files implementing reverse-engineered versions of XiaoHongShu's proprietary encryption algorithms including DES (for GID generation), ARC4/RC4 (for fingerprint encryption), custom Base64 encoding, and multi-layered signature generation. While no malicious patterns were found, the complexity makes full audit difficult and the code quality (e.g., directory named 'fuck_reverse_crypto') suggests informal development practices.

MEDIUM Sensitive credential handling in authentication flow -20

The skill asks users to provide web_session cookies (XHS authentication tokens) and includes a send_code function that accepts phone numbers for SMS verification. When used through an LLM agent, there is risk that the agent may handle these credentials carelessly (e.g., logging them, including them in responses to the user, or persisting them in conversation context).

MEDIUM View count inflation function (add_note_readnum) -15

The note.add_note_readnum() function artificially inflates note view counts by simulating enter/exit metrics with randomized stay times. This is explicitly designed to manipulate platform metrics and could be used at scale through agent automation.

MEDIUM Third-party dependency installation -10

The skill requires pip install of aiohttp, loguru, pycryptodome, and getuseragent. While these are legitimate PyPI packages, the getuseragent package is used specifically for user-agent spoofing to evade bot detection, reinforcing the ToS-circumvention nature of this tool.

LOW Hardcoded author-specific path in example code -3

The SKILL.md contains a hardcoded Windows path specific to the skill author's machine. While not a security threat, it indicates the skill was not properly generalized for distribution and could cause confusion if an LLM agent tries to use it literally.

LOW User-configurable proxy could redirect traffic -5

The proxy parameter accepts arbitrary HTTP and SOCKS5 proxy URLs. While this is user-configurable and not auto-set, a social engineering attack could trick users into routing XHS traffic through a malicious proxy to intercept credentials.

INFO Clean installation with no suspicious activity -5

The git clone and dependency installation produced only expected network connections (GitHub, Ubuntu mirrors, PyPI) and no filesystem changes outside standard paths. No connections to XiaoHongShu servers during installation.

INFO All honeypot files intact 0

No canary files were accessed or modified during installation or inspection, indicating no credential harvesting behavior.